In a new report on how Donald Trump is settling into the White House, the New York Times mentioned something in passing that I think is a fairly big deal. He’s still using his old, unsecured Android phone, which previous reports claimed he gave up for a secure device managed by government experts. Aides have reportedly urged him to stop using the unsecured device, but he still uses it personally.

Completely ignoring the politics involved, this is a bad idea from a technological perspective. I regularly tell people they don’t need to run anti-virus apps on Android and not to worry about malware threats so much. The fact of the matter is, Android is very secure these days. However, it’s secure from a consumer perspective. Someone like the president is a big target for independent and state-sponsored hackers. I’ve spoken with some security researchers to get a grasp on the problem.

Every piece of software has flaws—every build of iOS, Android, Windows, desktop Linux, and so on will come with security patches in each update. Sometimes these patches are severe enough to allow a third-party access to your data. These are just the threats that are disclosed so they can be fixed or that are discovered internally by the software makers. Bug bounty programs exist to get security researchers to disclose vulnerabilities, but other groups will pay bigger bucks.

Private security firms regularly pay thousand of dollars for exclusive access to software vulnerabilities that can be used to compromise devices. My sense is that government actors do this as well, but no one has been willing to confirm that to me (no surprise there). These aren’t necessarily simple exploits, but there’s no defense against them. Expending this sort of effort to snoop on a regular person is not a good use of resources, but someone like the president? Sure.

Take this as an example: the famous Stagefright exploit was serious (it could run third-party code on your device), but it was difficult to actually use in real life. It was publicly disclosed and patched. If Stagefright or something like it were a privately held vulnerability, a properly motivated hacker could use it to target a specific person and get deep access to the device.

Android Malware

Even if Trump doesn’t use the phone for “official” business, it’s still an internet-connected device with consumer-grade security. If someone were to compromise the phone, we need only look at past mainstream Android malware attacks to see what they might be able to accomplish. Android malware could be used to track his location, monitor app usage, and take photos with the camera. If the privately held vulnerability is a root exploit, there’s no limit to what could be done. The phone’s OS could be modified to track every keystroke or run new services silently in the background that listen for audio using the microphone.

This is scary stuff, and probably not something the president should be carrying in his pocket.